Pwn2Own Automotive 2026 has crossed the finish line with a record-breaking performance. As the world’s largest zero-day vulnerability discovery contest, the three-day event roared to a triumphant conclusion, with researchers successfully identifying 76 unique zero-day vulnerabilities across 73 attempts. It was a masterclass in speed and precision, challenging the world's best to secure thefuture of software-defined vehicles (SDVs) and electric vehicle (EV) infrastructure.
Attempt Highlights
The first successful attempt of the day was from Petoworks, breached the Grizzl-E Smart 40A by leveraging a single buffer overflow bug.
For IVIs, Team DDOS used a stackbased buffer overflow to hack the Alpine iLXF511. While Viettel Cyber Security targeted the Sony XAV9500ES and gained code execution privileges via a heapbasedbuffer overflow.
Juurin Oy, composed of Aapo Oksman, Elias Ikkelä-Koski and Mikael Kantola, is back at Pwn2Own for their attempt for Kenwood DNR1007XR and Alpitronic HYC50. They exploited a link-following vulnerability to breach the Kenwood device. Leveraging a Time-of-Check to Time-of-Use (TOCTOU) bug against the Level 3 charger, it capped its successful exploit, not only by a video, but by installing a playable copy of the classic game, Doom.
Pwn2Own Automotive 2026 Master of Pwn
After three days of intense competition at Automotive World in Tokyo, the German research team Fuzzware.io has secured the coveted title of Master of Pwn 2026.
Fuzzware.io's path to the crown was paved with high-profile takedowns of some of the most popular EV infrastructure in the world:
- Alpitronic HYC50 (Field Mode): A devastating "Out-of-Bounds Write" exploit that granted them full control over this commercial fast charger.
- Autel MaxiCharger: A complex 2-bug chain that combined code execution with their signature Signal Manipulation technique.
- Phoenix Contact CHARX: A "hat-trick" exploit involving three separate bugs and two add-ons, showcasing the team's ability to chain multiple vulnerabilities for maximum impact.
- Emporia & ChargePoint: Continued success against home chargers, using signal manipulation to prove that residential units are just as vulnerable as commercial stations.
As the 2026 champions, Scharnowski, Buchmann, and Covic return home not just with the "Master of Pwn" trophy, but with the distinction of setting a new standard for automotive security research.
Watch the video below for a quick overview of the highlights from the third and final day of Pwn2Own Automotive 2026.
That concludes Pwn2Own Automotive 2026! VicOne is honored to have co-hosted the third edition of this premier event alongside TrendAI Zero Day Initiative (ZDI). This competition did more than just showcase the ingenuity of the world’s top security researchers; it created a vital space for collaboration with industry leaders—strengthening the foundations of cybersecurity as the ecosystem accelerates toward the Software-Defined Vehicle (SDV) era and an increasingly connected Electric Vehicle Infrastructure.
Follow VicOne (LinkedIn, X, blog) for more Pwn2Own Automotive updates. To read more research on vulnerabilities in connected vehicles and learn best security practices, visit our resource center.
With contributions from Dustin Childs of the ZDI
